Ghost Solution Suite

I am used to running task commands using CMD /c.  With windows 7 in need to confirm I have elevated rights (which the ghost console account does have).  If on the client myself, I would open an elevated command prompt.  How can I do this from the task gui.

For example, how can I run this as admin (that is with elevated rights) on "target OS actions"

cmd.exe /c move /y "c:\sqldeveloper (fixed) - Shortcut.lnk" "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open Source & Community Free Software" 

Incase you are wondering the shortcut in this instance already exists on the client, I just need to get it on the startmenu, which requires elevated rights, without further interaction.

Thanks. I have been googling and looking in forum, but have not got the exact answer (context) I needed.  Do I have to use the "runas" command first?  Exact answer to example above would be great.  We are an a ADS domain, and the account the ghost console in running under, has admin rights on the client.

Thanks.

(First for me post here, sorry for any mistakes, in advance).

Something that has been explained here on Connect and in KB articles and such like (and is also readily observable with tools like Process Explorer) is that the both the management server's service - ngserver.exe - and the management client service - ngctw32.exe - do not run as *any* logged-in user.

Rather, they run, as most services do, in the special service context under a built-in account known as LocalSystem (aka .\System) which has a particular special user right not available to any other account called SE_TCB_NAME that is required to use some of the low-level APIs that the service applications need to call. All the processes spawned by the management client also run in this special account context, which gives them the maximum amount of power (even more than an Administrator account) to affect the local system.

[ Note that when running under Windows PE in a pre-boot environment, there is no user account database and so all processes run in Windows PE also use the special LocalSystem account environment. ]

The special role played by the domain-level account is also documented: it exists *solely* to create (or move from one AD container to another)  machine accounts on a domain which is targeted by a "join to domain" task step, and is not used for any other purpose at all - the account is never logged in, and is simply used for remote authentication in RPC connections, and is never transmitted or used to clients.

The management server process does temporarily take on other identities for special purposes during the execution of a task to work around peculiarities of Windows security that customers are frequently aware of, such as rights to network shares. When a task is initiated, the management server retains a copy of the identity of the user that launched the task and will temporarily impersonate that user to access resources such as files and images that are often stored in places which would otherwise be inaccessible. Again, however, that identity is never transmitted to, or used by, clients.

So, elevation as a concept does not apply to commands launched through the console; commands are always launched with the maximum privilege it is possible for a process to have. However, there are some small trade-offs for this: one is that processes running as LocalSystem do not have any user's identity on the network (if they are members of a domain, there is some tricky special-casing inside Windows that makes access by such process authenticate as the machine itself, since in Active Directory environments machines themselves have user accounts which can be added to ACLs).

The other minor tradeoff is that per-user parts of the normal process environment, such as registry keys under HKEY_CURRENT_USER do not refer to any user's data; some aspects of Windows configuration such as that of printer settings is always stored per-user, and so scripts which alter such settings simply need to be aware that Windows is in fact a multi-user operating system. Since they are run under the LocalSystem account, scripts launched by the management agent have the ability to enumerate and modify all the user profiles present on a client machine, and so scripts which alter settings that are strictly per-user need to make use of that capability.

To add to what Nigel described so succinctly, if you use roaming profiles, the user profile(s) you need to target may not be present on the machine at the time of deployment. In that situation, you may need to resort to using something like ActiveSetup to populate each user profile the first time they log on to the machine after the deployment (www.etlengineering.com/installer/activesetup.txt).

Finally, deploying shortcuts "per machine" (ie to the All Users profile) allows any user to see them, and this profile is available on the machine regardless of any other profiles, local or roaming.

Thanks,

The context:

-We do not use roaming profiles.These are public machines, and user profiles are removed at reboot.

-I am tryint to add an icon to the (all user/public) start menu on already deployed WIN7 machines (500). I have no problems copying the icon to other test folders, but when trying to copy into:

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open Source & Community Free Software"  I run into the

I run into the following:

• Ghost Task running CMD to Copy shortcut from other local folder on client machine: Fails
• Manually using command line on Client machine to COPY shortcut  from other local folder on client machine (after remoting to it): Fails, unless elevated command prompt is used, then it works fine.
• Using OS GUI to copy and paste shortcut into folder: Succeeds, but Windows UAC prompts to continue.  As account is admin, after confirmation, Paste is completed without further interacation (no account name or password needed to be entered).

So I am able to run tasks with command, even admin level tasks just fine using the Ghost console, EXCEPT apparently when Windows UAC is involved and the CMD would need to be carried out in an elevated rights context, or the operations needs some sort of confirmation in responce to UAC to continue. And apparently Windows UAC in involved when you try to mess with the public start menu.

If there is another way to accomplish placing the icon on the start menu with the ghost console (placing the shortcut), I would be glad to try. Ghost has a hard time transferring a shortcut "file", as it seems confused by the referencing in the task creation. So I have to rename the shortcut and place on the ghost console machine, transfer the file to the client, then rename the shortcut back to a shorcut extension LNK.  Due to the above complications and in order to troubleshoot, I was first transferring the file to folder that did not have UAC involved, renaming the shortcut back to a shortcut extension, and then copying the shortcut to the appropriate start menu folder. (in case anyone was wondering).

On XP machines I would not be having a problem. Something that used to be so simple for the Ghost console is now "not working".

Thanks for any further advice...

The path C:\ProgramData\Microsoft\Windows\Start Menu\Programs\  has restricted write permissions - basically only the system account and an elevated admin account can write there.

Have you tried setting the Admin Approval Mode in group policy? This should remove the UAC display when running as admin, if my understanding is correct.

Shortcuts can also be created using VBScript, so this may offer you an alternative way of installing shortcuts. It would not be that difficult to include shortcut creation code in a user's login script, allowing you to provide a tailored experience for your users without having to place shortcuts into "common" folders.

I had a similiar issue with jobs and tasks (in Symantec Management Platform NS) and command line commands, like copy and move. The final resolution was to run the command line jobs with one of the altiris admins credintials under the advanced -> run as for the job. I have since had all my hair grow back that I pulled out figuring it out. HTH!